One of the key changes to the final draft of the data protection bill is the way it deals with cross-border data flows to international jurisdictions
The draft of the data protection bill was approved on Wednesday by the Union Cabinet, paving the way for its introduction in the Monsoon session of Parliament. The law, if the bill is passed, will become India’s core data governance framework, six years after the Supreme Court declared privacy a fundamental right. To provide the framework for the rapidly growing digital ecosystem, the bill is one of the four proposed laws in the IT and telecom sectors.
Including those that were red flagged by privacy experts, the Digital Personal Data Protection Bill, 2022, approved by the Cabinet, is learned to have retained the contents of the original version of the legislation proposed last November. Wide-ranging exemptions for the Central government and its agencies remain unchanged. From adverse consequences citing national security, relations with foreign governments, and maintenance of public order, among other things, the Central government will have the right to exempt “any instrumentality of the state”.
Privacy-related grievances and disputes between two parties that are learned to have been retained as well will be dealt with by the Central Government in appointing members of the Data Protection Board, an adjudicatory body. The Central government will appoint the Chief Executive of the board, which will also determine the terms and conditions of their service.
After nearly four years in the works, the fresh draft was released following the withdrawal of an earlier version from Parliament last August, where it went through multiple iterations, a review by a Joint Committee of Parliament (JCP), and pushback from a range of stakeholders, including tech companies and privacy activists.
By moving away from a whitelisting approach to a blacklisting mechanism, one of the key changes to the final draft of the data protection bill is the way it deals with cross-border data flows to international jurisdictions.
In a move that could further liberalize conditions for data transfer, the proposed new law could allow global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted—essentially an official blacklist of countries where transfers would be prohibited, as reported earlier.
The Central government will notify countries or territories where personal data of Indian citizens can be transferred, that is, a whitelist of jurisdictions where data transfers would be allowed, said the draft, which was released for public consultation in November.
While processing personal data on grounds of national security and public interest, a provision on “deemed consent” in the previous draft could be reworded to make it stricter for private entities while allowing government departments to assume consent.
A senior government official said the data protection bill is expected to allow “voluntary undertaking,” meaning that entities that have violated provisions of law can bring it up with the Data Protection Board, which can decide to bar proceedings against the entity by accepting settlement fees. Repeat offenses of the same nature could attract higher financial penalties, the official said.
Rs 250 crore per instance has been prescribed as the highest penalty that can be levied on an entity for failing to prevent a data breach. Government officials, in informal conversations, have emphasized that the definition of “per instance” is subjective and could mean either an instance of a data breach or account for the number of people impacted by it and multiply it by Rs 250 crore. None of this, however, has been prescribed under law and is open to interpretation by the data protection board on a case-by-case basis.
Insisting that “advanced” plans have been made by the government to that end, they said the implementation of the data protection bill will be “digital by design”. Consent requirements under the Bill could also force companies to change the way they serve up cookies on their websites, where they will have to seek specific consent on how the cookies might track a user’s activities on their site, the official said.
Also read: How to increase Cyber Resilience in the Third-Party environment?
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics
